Zack Whittaker of TechCrunch is reporting that some users of the OKCupid app are reporting that hackers have broken into their accounts, and changed passwords and associated email addresses – effectively locking users out of their online profiles.
A quick search on social media uncovers a number of other users who have experienced a similar problem.
@okcupid My account was just hacked about 20 minutes ago and passed/email changed, trying to find a contact email but been unable to. Any help?
— Kieron Scott (@RyanCavendell) February 4, 2019
Worryingly, the unnamed user who contacted TechCrunch reported that they had not received any communication from OKCupid asking them to confirm they wished to change the email address associated with their account. Furthermore, “the hacker started harassing him strange text messages from his phone number that was lifted from one of his private messages.”
It’s easy to imagine the harm that could result from a hacker reading users’ private communications on a dating app.
In the past, dating and casual hookup sites like eHarmony, Plenty of Fish, AdultFriendFinder, and – most infamously – Ashley Madison have been hacked – but OKCupid are at pains to make clear that this isn’t what has happened to them.
A spokesperson for OKCupid told TechCrunch that the company had not suffered a security breach, and instead pointed the finger of suspicion at accounts being compromised by hackers guessing weak, easy-to-guess passwords, or – most likely – the common phenomenon of users unwisely reusing passwords across multiple services. As we’ve explained many times before, using the same password in multiple places is a recipe for disaster.
OkCupid’s own support knowledgebase warns of the danger of reusing passwords:
If you use the same password on several different sites or services, then your accounts on all of them have the potential to be taken over if one site has a security breach. Lists including your email address and passwords can be sold to bad actors who will try your password on lots of different sites until they find one that works.
None of this is untrue, although it doesn’t explain how several OKCupid users have told TechCrunch that their OKCupid passwords were not used on any other website or app.
OkCupid offers a number of suggestions on how users can protect their accounts:
How to protect your OkCupid account
- Use a password unique to OkCupid
- Practice good password security: use a mix of letters, numbers, capitalization, and symbols. The longer the password is, the better.
- Change your password regularly
- Don’t use your OkCupid account on public computers
- Run an antivirus program regularly on your computer
I’m personally not a fan of advising people to change their passwords regularly, but the other problem with this list is what it’s missing: two-factor authentication (2FA).
2FA can offer an additional layer of security if a bad guy does manage to determine your username and password. When they try to log into your account from an unrecognised device, a site’s 2FA check can request that a six-digit number is entered after the username and password. That number is typically generated by an app on your smartphone – a smartphone that your wannabe account hacker doesn’t have access to.
My recommendation is that you should enable two-factor authentication (or its close cousin two-step verification) on as many of your online accounts as possible to protect yourself from being hacked. Sadly many dating sites don’t appear to offer 2FA, which when you consider what’s at risk is really rather disgraceful in this day and age.
Visit 2fa.directory to determine if the websites you use offer 2FA, and ensure that you enable it as soon as possible.
And, obviously, make sure you are using different passwords for different online accounts.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.